Update update_dep.sh

[henrybear327]

Based on the experience of performing dependency bumps, some minor improvements are made to the script to make it conform to our current dependency bump procedure, listed as follows:

• print out the dependency's version before and after the bump
• check if the dependency is fully indirect
• change the behavior of bumping dependency (doesn't ignore bumping indirect dependency in the go mod files anymore)
• check if all dependencies across all go mod files have the same pinned version respectively after bumping a dependency

Please read https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md#contribution-flow.

[henrybear327]

/cc @ivanvc
/cc @ahrtr
I am not good with bash scripts :(

This is the script that I have been using to bump the dependencies in the past months. Hopefully, it will be helpful for future volunteers before the dependabot is fixed!

[ivanvc]

@henrybear327, there are some shellcheck warnings in the script. Would you want to draft the PR? And would you like me to continue on top of it? Or do you want to address the issues?

[henrybear327]

@henrybear327, there are some shellcheck warnings in the script. Would you want to draft the PR? And would you like me to continue on top of it? Or do you want to address the issues?

@ivanvc let's draft the PR and you can probably take over it if you have time to improve it!

Hopefully it's a helpful start otherwise you can trash the PR and start from scratch!

Thanks!

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.95%. Comparing base (aeb47ee) to head (519a1ff).

⚠️ Current head 519a1ff differs from pull request most recent head f159f38

Please upload reports for the commit f159f38 to get more accurate results.

Additional details and impacted files

see 145 files with indirect coverage changes

@@            Coverage Diff             @@
##             main   #18609      +/-   ##
==========================================
+ Coverage   68.92%   68.95%   +0.02%     
==========================================
  Files         417      420       +3     
  Lines       34648    35762    +1114     
==========================================
+ Hits        23882    24659     +777     
- Misses       9350     9679     +329     
- Partials     1416     1424       +8     

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update aeb47ee...f159f38. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[henrybear327]

@henrybear327, there are some shellcheck warnings in the script. Would you want to draft the PR? And would you like me to continue on top of it? Or do you want to address the issues?

@ivanvc I have fixed the shellcheck errors

Maybe you can see if this is a good enough quality script to consider now!
Thank you!

[ahrtr]

Sometimes we still need bump pure indirect dependency, i.e. due to CVE. A couple of approaches:

• raise a question something "XXX is a pure indirect dependency, Are you sure you want to proceed? (y/n):"
• Or we can just print a warning and automatically continue to execute the script. As mentioned in previous comment, it's up to maintainers/contributors whether to bump a pure indirect dependency. If not, then they shouldn't run this script at all.

[ivanvc]

Thanks for the pull request, Henry. I haven't had a chance to check it before. I left some comments ✌️

[ivanvc]

By passing --include to the first grep, I don't think you need to pipe the second grep. It won't match go.sum files.

I think your regular expression can be simplified to "${mod} v". I don't see the value of ^.* and .*$, which matches anything before and after. I'd suggest simplifying.

[ivanvc]

Another approach would be to use go list for this, i.e., something like:

local result
result=$(find . -name go.mod | xargs -I{} /bin/sh -c 'cd $(dirname {}); go list -f "{{if eq .Path \"'"${mod}"'\"}}{{.Indirect}}{{end}}" -m all' | sort | uniq)
if [ "$result" = "true" ] ; then
   read -p "Module ${mod} is an indirect dependency. Are you sure you want to update it? [y/N] " -r confirm
   [[ "${confirm,,}" == "y" ]] || exit
else
  echo "Not fully..."
fi

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: henrybear327
Once this PR has been reviewed and has the lgtm label, please assign ivanvc for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• scripts/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

@henrybear327: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-etcd-verify	f892b05	link	true	/test pull-etcd-verify
ci-etcd-robustness-release36-amd64	190eb93	link	true	/test ci-etcd-robustness-release36-amd64

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions.